In our policy, we:
- define the different types of information we collect
- explain what isn't considered personal information
- describe the reasons we may collect personal or health information
- provide examples of the types of information we may collect or use
- explain how and why we use your personal and health information
- describe the reasons we may give your information to a third party
- commit to taking reasonable steps to protect your information
- explain how we do and don't use unique identifiers in relation to your information
- provide details of who you can contact to correct or update your information, or to make a complaint about the way we handle your information.
Public Transport Victoria (PTV) will collect, use, store and disclose personal information and health information in accordance with Information Privacy Principles (IPPs) set out in the Privacy and Data Protection Act 2014 (Vic) (PDP Act) and the Health Privacy Principles (HPPs) and the Health Records Act 2001 (Vic).
This policy outlines how PTV manages Personal Information and Health Information. Information is also provided about how people can seek assurance that their Personal Information and/or Health Information is maintained in accordance with the PDP Act and the Health Records Act 2001.
This policy applies to all employees of PTV when dealing with Personal Information or Health Information. Where PTV enters into a contract with another organisation for the provision of goods or services relevant to the functions and powers of PTV, those organisations will be required to manage all Personal Information and Health Information in accordance with the PDP Act and Health Records Act 2001 too, but may have their own relevant privacy policies.
This policy may be varied from time to time and will operate consistently, and in conjunction, with customised privacy policies and collection statements developed by individual business or work units within PTV to explain their particular privacy management practices.
Types of information
Personal information means information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from that information or opinion. Some examples of Personal Information are your name, sex, date of birth, address, financial details, marital status, education and employment history. Some Personal Information is called Sensitive Information and is given extra protection under the law. This includes information about an individual’s racial or ethnic origin, religious beliefs, political views, sexual preferences, membership of unions and criminal record.
Information about legal entities, including companies and other organisations, anonymous, de-identified or encrypted information is not personal information.
In this policy, the term Personal Information will refer collectively to Personal Information and Sensitive Information, unless otherwise specified.
Health information means information or an opinion that can be linked to an individual, whether living or deceased, that is about their physical, mental or psychological health; disability status; expressed wishes about the future provision of health services to him or her; a health service that has been provided; or a health service that will be provided.
What is not Personal Information?
Information about legal entities (e.g. companies, organisations), anonymous, de-identified, encrypted or information contained in generally available publications is not Personal Information as defined in this Policy and the Privacy and Data Protection Act 2014. Publications which are generally available include magazines, books, newspaper articles, annual reports, internet and the Victorian Government Gazette.
PTV will only collect Personal Information or Health Information from an individual if it is necessary for the provision of services to that individual, or to carry out PTV’s functions. PTV will always take reasonable steps to collect Personal Information or Health Information directly from the individual the information concerns.
PTV’s principal functions are to plan, coordinate and provide public transport services across Victoria.
Reasons that PTV may collect Personal Information or Health Information from a person include if they:
- are employed by, or apply to be employed by, PTV
- request to be placed on a mailing list maintained by PTV
- contact PTV directly, or contact the Victorian Government about a matter relevant to PTV’s function or services
- are provided with products or services by PTV
- make a request for access to documents under the Freedom of Information Act 1982 (Vic).
Collection statements and notices
At or before the time PTV collects any Personal Information or Health Information from a person (or if that is not practicable, as soon as practicable afterwards), PTV will take reasonable steps to ensure that they are given a collection statement setting out the purpose for collecting the information, how the information will be used and the consequences, if any, for not providing the information requested.
Whenever it is lawful and practical, PTV will provide people with the option of not identifying themselves.
Examples of information which may be collected, used, stored or disclosed by PTV
Correspondence (including email) or complaints addressed to Victorian Government Ministers or agencies, or queries made through PTV’s call centre regarding matters related to the functions of, or services provided by, PTV may be referred to PTV for advice and response. Such correspondence, as well as correspondence addressed directly to PTV may include Personal Information or Health Information, and may be accessed by PTV staff, subject to operational needs.
Copies of correspondence, applicable responses and details pertaining to correspondence received by PTV which contains Personal Information or Health Information may be retained by PTV for certain periods of time, in accordance with the Public Records Act 1973 and other applicable legislation.
Information collected on PTV’s website
Unless information is expressly provided to PTV by a visitor to PTV’s website, PTV will not know the identity of any visitor to its website. If there are “cookies” on PTV’s website, it will be the visitor’s choice to enable them or not.
Visitors to PTV’s website will be subject to PTV’s Internet Service Provider’s standard web logs, which record anonymous information about traffic patterns through PTV’s website for statistical purposes only. No attempt will be made by PTV to identify the personal details of any website visitor, except in the event that an investigation is undertaken by a law enforcement agency, exercising a warrant to inspect PTV’s Internet Service Provider’s logs.
Employment and recruitment information
If a person is employed by, or applies to be employed by, PTV, PTV may collect and store information about the recruitment process used and their application including reference checks, security clearances and criminal history checks undertaken as part of that process.
Employment and recruitment information collected by PTV is used or disclosed for people management purposes, including employee relations, human resources, payroll, learning and development, agency and government directory capability development and workforce planning, emergency management, occupational health and safety and public health, safety and welfare, disputes or litigation, and is retained in accordance with the Public Records Act 1973 (Vic), the Public Administration Act 2004 (Vic), and other applicable legislation. Some of this information may be disclosed to third parties, where required for the above purposes or if required by law.
Credit Card information
PTV may collect a person’s credit card information to process a payment to PTV.
Credit card information collected by PTV will be held in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is a set of requirements for enhancing payment account data security, including requirements for secure network and systems, cardholder data protection, vulnerability management program, access control measures, network monitoring and testing and information security policies.
Use and disclosure of information
PTV uses or discloses to other organisations Personal Information or Health Information for the purpose which it was collectedor for another (secondary purpose) related (or directly related for health information) to the primary purpose or if permitted by the IPPs or HPPs or another law. For example, PTV may not have to comply with IPPs when exercising responsibilities directly related to law enforcement or where the Australian Security and Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS) or Centrelink have requested the disclosure of your Personal Information or Health Information.
PTV may transfer your Personal Information or Health Information to another individual or organisation in limited circumstances, including that the recipient is subject to a law which upholds similar principles to the IPPs or HPPs, or if the transfer is consented to.
PTV may also provide your Personal Information or Health Information to public transport operators and public transport authorities (for example, Department of Transport, Transport Safety Victoria, a government department or agency including the portfolio agencies/departments) where you raise an issue, query or complaint with PTV, and responding to that issue, query or complaint requires information or response directly to you from that party.
If you make an offer of a gift, benefit or hospitality to a PTV officer or employee because of their role with PTV and that offer is, or may be perceived to be by the recipient, the person making the offer or by the wider community, of more than inconsequential value or worth more than $50, this offer must be declared and recorded on the relevant PTV gift, benefit and hospitality declaration form and register (Gifts Register). The Gifts Register is pubished on this website to promote transparency in PTV and public sector decision making and to comply with the minimum accountabilities for the management of gifts, benefits and hospitality.
Data security and destruction
Irrespective of whether your Personal Information or Health Information is stored electronically or in hard copy form, PTV will take reasonable steps to protect it from misuse and loss and unauthorised access, modification or disclosure.
Credit card information collected by PTV will be held in accordance with the requirements of PCI-DSS. PTV will also take reasonable steps to destroy or permanently de-identify your Personal Information or Health Information if it is no longer needed for the purpose (or a related purpose) for which it was initially collected, unless, in the case of Personal Information, it is subject to the Public Records Act 1973, in which case it will be retained or disposed of in accordance with that legislation.
Data quality, access and correction
PTV will take reasonable steps to ensure that Personal Information and Health Information we collect is accurate, complete and up to date.
People are entitled to contact the PTV Information Privacy Officer (contact details are set out below) and request access to, and correction of any of their Personal Information or Health Information held by PTV. PTV will take reasonable steps to correct and update any Personal Information or Health Information that is established to be inaccurate, incomplete or not up to date or provide you with a written statement if such a request is refused.
If a person’s Personal Information or Health Information is associated with information relating to an event, commercial activities or in some way affects the privacy of another individual, they may need to make a formal Freedom of Information request pursuant to section 17 of the Freedom of Information Act 1982 (Vic). Find out how to make a request at Freedom of Information.
A unique identifier is a code consisting of letters or numbers (not the individual’s name) that is assigned to an individual to distinguish them from other individuals - for example a drivers licence number. or PTV employee number
PTV will not:
- assign, use or disclose unique identifiers to individuals unless it is necessary to do so to carry out one of its organisational functions efficiently
- adopt, use or disclose a unique identifier assigned to any person by another organisation except in limited circumstances
- require people to provide a unique identifier in order to obtain a service, unless it is required or authorised by law or connected to the purpose for which the unique identifier was assigned.
PTV Privacy Officer
If a person believes that their Personal or Health Information has been used by PTV in a manner contrary to the PDP Act or Health Records Act 2001 (Vic), they may contact the PTV Privacy Officer:
By phone: call 1800 800 007
By email: firstname.lastname@example.org
By post: PO Box 4724, Melbourne VIC 3000
Health Complaints Commissioner contact
Complaints about any use of a person’s Health Information which is believed to be contrary to the Health Records Act 2001 (Vic) can be made with the Health Complaints Commissioner. Find more information about submitting complaints in respect of Health Information at the Health Complaints Commissioner website.
Office of the Victorian Information Commissioner
People can also contact the Victorian Information Commissioner for more information or to raise certain complaints about privacy matters and regulation in Victoria. More information is available at the Office of the Victorian Information Commissioner website.